Configuring User-ID on PanOS, including PANOS 6 best practices and the new “Agentless” User-ID
Need to implement user identification on a Palo Alto Networks firewall
The new integrated agent (aka agentless) User-ID simplifies implementation.
Even with Agentless, you may need to add a LOT of servers.
You can define entries for up to 100 Microsoft Active Directory, Microsoft Exchange, or Novell eDirectory servers on your network. Keep in mind that in order to collect all of the required mappings, you must connect to all servers that your users log in to so that the firewall can monitor the security log files on all servers that contain logon events.
On the CLI, you can monitor the userID connection:
show user server monitor state all